qakbot | c0f7ebcd16182e2d5d5e05c310f161eb61eb0c20569827a09e65c1f93a866de0

General

Target

71e4f7864d915a86246aa892fa2d48579f441627156bd3cf65508dce6acf9d02.dll
Size

502KB
MD5

c3a6d02b5417075185f4fe3053731095
SHA1

ed6f591b4a0c24c8314b1e62df799603ffc50e02
SHA256

71e4f7864d915a86246aa892fa2d48579f441627156bd3cf65508dce6acf9d02
SHA512

c1577c3d6de71181bef0dd324afeb5c4b36d874ee6fc32d55e4954892076123316f3e255ded5ff59a946ae20918ab756b7deb491b22152a6b9d79754a30e03f9
SSDEEP

12288:V2Nje8T1MgBj4W1A7IIQmVyEcij9IB/XrtJPrGYidZKCRw9WU:oNK8LBj4WmHQOAe9IB/btFyYiPw

Score

10^/10

qakbot notset 1632819510 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

notset

Campaign

1632819510

C2

196.217.156.63:995

120.150.218.241:995

95.77.223.148:443

185.250.148.74:443

181.118.183.94:443

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Uryplzuuf = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Undnhbwry = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1996 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1376 schtasks.exe

pid	process
1996	regsvr32.exe

pid	process
1376	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Poqcuyowoyzia\2684f04d = dd8c10f64459bfa95839315fe2c394866e2e271ae1f351e4dcb6aa6f9017a5c6dc7f6751f4c36799f85accb989713c17fb471124e78368886584af0be64e5e51110c929240ae341371b14f93bd01d65a844924a999e978aad5f71d5fec95f1a50d15a108921c901914c048ddb3fc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Poqcuyowoyzia\d4ee2890 = 2a124c48691e9c7c87e0e7ba093235f0b9e74b6e015f592e3f92571181bf7c0e2ce637d3fab447235640895efd30	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Poqcuyowoyzia\aba74766 = 9657c3f294dd6ccc2d5a876c6665e2c69060455b9b370c33c29b18adba8ed0c9f95db2e5f3523299e335f126452ce02a7aa899188d95b0abc3f1cb72	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Poqcuyowoyzia	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Poqcuyowoyzia\9c79b754 = 048944f6e7b0ba633e6825cf27736224c5927f0936f5c2825992c0f5fe30ad3add8fe494373d5e3f5c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Poqcuyowoyzia\24c5d031 = 47055050b3acc3e73af4800eda7d38cd64bb97bb68	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Poqcuyowoyzia\59cd9fbb = 0da98dd380f7d4289a6c0c7022438db33056bfaa6f72ae035e88326add92463a1f62225c7406981f30a95bf142b2a25d1dc68f513ebf71b426088f338473157e3e3a085f056eebd6aee7678fdecf8ecf5b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Poqcuyowoyzia\e171f8de = b1f238ae8f3543894a86b73aa8bbde3b602937def23afc0937d6dad511c92019367feeba63f61abf5b330b4ae6f59279f7905c9520b363eca1642138c14186db	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Poqcuyowoyzia\aba74766 = 9657d4f294dd59dd404cea0b24d9d553b4e67e1f55b9464428482a1fe7692591f6483964df77c2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Poqcuyowoyzia\9e389728 = 61049985d58221a78012cbaf019ec9179fec6f11db809652dd15aabe8f31d8c529fb5d4d6c245126cadb9e6a11643a72ff0a80edc91941fff73012704a114d2dcf1aaea996015fb2e59caf4ee8394acb16d5fa826dde1b27e777337bea7eb562cc26cfee86d8606b50edb13b2939c074c65eb583123c3198958d	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1524 rundll32.exe
1996 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1524 rundll32.exe
1996 regsvr32.exe

pid	process
1524	rundll32.exe
1996	regsvr32.exe

pid	process
1524	rundll32.exe
1996	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1456 wrote to memory of 1524	1456	rundll32.exe	rundll32.exe
PID 1456 wrote to memory of 1524	1456	rundll32.exe	rundll32.exe
PID 1456 wrote to memory of 1524	1456	rundll32.exe	rundll32.exe
PID 1456 wrote to memory of 1524	1456	rundll32.exe	rundll32.exe
PID 1456 wrote to memory of 1524	1456	rundll32.exe	rundll32.exe
PID 1456 wrote to memory of 1524	1456	rundll32.exe	rundll32.exe
PID 1456 wrote to memory of 1524	1456	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 948	1524	rundll32.exe	explorer.exe
PID 1524 wrote to memory of 948	1524	rundll32.exe	explorer.exe
PID 1524 wrote to memory of 948	1524	rundll32.exe	explorer.exe
PID 1524 wrote to memory of 948	1524	rundll32.exe	explorer.exe
PID 1524 wrote to memory of 948	1524	rundll32.exe	explorer.exe
PID 1524 wrote to memory of 948	1524	rundll32.exe	explorer.exe
PID 948 wrote to memory of 1376	948	explorer.exe	schtasks.exe
PID 948 wrote to memory of 1376	948	explorer.exe	schtasks.exe
PID 948 wrote to memory of 1376	948	explorer.exe	schtasks.exe
PID 948 wrote to memory of 1376	948	explorer.exe	schtasks.exe
PID 360 wrote to memory of 436	360	taskeng.exe	regsvr32.exe
PID 360 wrote to memory of 436	360	taskeng.exe	regsvr32.exe
PID 360 wrote to memory of 436	360	taskeng.exe	regsvr32.exe
PID 360 wrote to memory of 436	360	taskeng.exe	regsvr32.exe
PID 360 wrote to memory of 436	360	taskeng.exe	regsvr32.exe
PID 436 wrote to memory of 1996	436	regsvr32.exe	regsvr32.exe
PID 436 wrote to memory of 1996	436	regsvr32.exe	regsvr32.exe
PID 436 wrote to memory of 1996	436	regsvr32.exe	regsvr32.exe
PID 436 wrote to memory of 1996	436	regsvr32.exe	regsvr32.exe
PID 436 wrote to memory of 1996	436	regsvr32.exe	regsvr32.exe
PID 436 wrote to memory of 1996	436	regsvr32.exe	regsvr32.exe
PID 436 wrote to memory of 1996	436	regsvr32.exe	regsvr32.exe
PID 1996 wrote to memory of 1836	1996	regsvr32.exe	explorer.exe
PID 1996 wrote to memory of 1836	1996	regsvr32.exe	explorer.exe
PID 1996 wrote to memory of 1836	1996	regsvr32.exe	explorer.exe
PID 1996 wrote to memory of 1836	1996	regsvr32.exe	explorer.exe
PID 1996 wrote to memory of 1836	1996	regsvr32.exe	explorer.exe
PID 1996 wrote to memory of 1836	1996	regsvr32.exe	explorer.exe
PID 1836 wrote to memory of 1476	1836	explorer.exe	reg.exe
PID 1836 wrote to memory of 1476	1836	explorer.exe	reg.exe
PID 1836 wrote to memory of 1476	1836	explorer.exe	reg.exe
PID 1836 wrote to memory of 1476	1836	explorer.exe	reg.exe
PID 1836 wrote to memory of 1884	1836	explorer.exe	reg.exe
PID 1836 wrote to memory of 1884	1836	explorer.exe	reg.exe
PID 1836 wrote to memory of 1884	1836	explorer.exe	reg.exe
PID 1836 wrote to memory of 1884	1836	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\71e4f7864d915a86246aa892fa2d48579f441627156bd3cf65508dce6acf9d02.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\71e4f7864d915a86246aa892fa2d48579f441627156bd3cf65508dce6acf9d02.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn gaxchgptjs /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\71e4f7864d915a86246aa892fa2d48579f441627156bd3cf65508dce6acf9d02.dll\"" /SC ONCE /Z /ST 10:45 /ET 10:57
4⤵
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\taskeng.exe
taskeng.exe {CB1FA215-913C-4EDB-9F49-94EAA2E50D08} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\71e4f7864d915a86246aa892fa2d48579f441627156bd3cf65508dce6acf9d02.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\71e4f7864d915a86246aa892fa2d48579f441627156bd3cf65508dce6acf9d02.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Uryplzuuf" /d "0"
5⤵
- Windows security bypass
PID:1476

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Undnhbwry" /d "0"
5⤵
- Windows security bypass
PID:1884

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\71e4f7864d915a86246aa892fa2d48579f441627156bd3cf65508dce6acf9d02.dll
Filesize
502KB

MD5
c3a6d02b5417075185f4fe3053731095

SHA1
ed6f591b4a0c24c8314b1e62df799603ffc50e02

SHA256
71e4f7864d915a86246aa892fa2d48579f441627156bd3cf65508dce6acf9d02

SHA512
c1577c3d6de71181bef0dd324afeb5c4b36d874ee6fc32d55e4954892076123316f3e255ded5ff59a946ae20918ab756b7deb491b22152a6b9d79754a30e03f9

Download Submit
\Users\Admin\AppData\Local\Temp\71e4f7864d915a86246aa892fa2d48579f441627156bd3cf65508dce6acf9d02.dll
Filesize
502KB

MD5
c3a6d02b5417075185f4fe3053731095

SHA1
ed6f591b4a0c24c8314b1e62df799603ffc50e02

SHA256
71e4f7864d915a86246aa892fa2d48579f441627156bd3cf65508dce6acf9d02

SHA512
c1577c3d6de71181bef0dd324afeb5c4b36d874ee6fc32d55e4954892076123316f3e255ded5ff59a946ae20918ab756b7deb491b22152a6b9d79754a30e03f9

Download Submit
memory/436-71-0x000007FEFB5E1000-0x000007FEFB5E3000-memory.dmp

Filesize
8KB

Download
memory/436-70-0x0000000000000000-mapping.dmp

Download
memory/948-65-0x0000000074141000-0x0000000074143000-memory.dmp

Filesize
8KB

Download
memory/948-69-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/948-67-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/948-63-0x0000000000000000-mapping.dmp

Download
memory/1376-68-0x0000000000000000-mapping.dmp

Download
memory/1476-88-0x0000000000000000-mapping.dmp

Download
memory/1524-62-0x0000000000690000-0x00000000006B1000-memory.dmp

Filesize
132KB

Download
memory/1524-54-0x0000000000000000-mapping.dmp

Download
memory/1524-61-0x0000000000350000-0x0000000000371000-memory.dmp

Filesize
132KB

Download
memory/1524-60-0x0000000000690000-0x00000000006B1000-memory.dmp

Filesize
132KB

Download
memory/1524-59-0x0000000000690000-0x00000000006B1000-memory.dmp

Filesize
132KB

Download
memory/1524-57-0x0000000000690000-0x00000000006B1000-memory.dmp

Filesize
132KB

Download
memory/1524-58-0x0000000000690000-0x00000000006B1000-memory.dmp

Filesize
132KB

Download
memory/1524-56-0x00000000001A0000-0x0000000000222000-memory.dmp

Filesize
520KB

Download
memory/1524-55-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1524-66-0x0000000000690000-0x00000000006B1000-memory.dmp

Filesize
132KB

Download
memory/1836-83-0x0000000000000000-mapping.dmp

Download
memory/1836-87-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1884-89-0x0000000000000000-mapping.dmp

Download
memory/1996-78-0x0000000000AD0000-0x0000000000AF1000-memory.dmp

Filesize
132KB

Download
memory/1996-79-0x0000000000AD0000-0x0000000000AF1000-memory.dmp

Filesize
132KB

Download
memory/1996-81-0x00000000004F0000-0x0000000000511000-memory.dmp

Filesize
132KB

Download
memory/1996-82-0x0000000000AD0000-0x0000000000AF1000-memory.dmp

Filesize
132KB

Download
memory/1996-80-0x0000000000AD0000-0x0000000000AF1000-memory.dmp

Filesize
132KB

Download
memory/1996-86-0x0000000000AD0000-0x0000000000AF1000-memory.dmp

Filesize
132KB

Download
memory/1996-77-0x0000000000AD0000-0x0000000000AF1000-memory.dmp

Filesize
132KB

Download
memory/1996-76-0x0000000000940000-0x00000000009C2000-memory.dmp

Filesize
520KB

Download
memory/1996-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads